logo

Database

Lack of data validation - Path Traversal In ghost

Description

Path Traversal in Ghost Ghost before 5.42.1 allows remote attackers to read arbitrary files within the active theme's folder via /assets/built%2F..%2F..%2F/ directory traversal. This occurs in frontend/web/middleware/static-theme.js.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2023-322352. NVD-2023-322353. OSV-2023-322354. GCVE-2023-32235

References

1. https://github.com/TryGhost/Ghost/commit/378dd913aa8d0fd0da29b0ffced8884579598b0f2. https://github.com/TryGhost/Ghost/compare/v5.42.0...v5.42.13. https://vulncheck.com/cve/CVE-2023-322354. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-32235.yaml5. https://github.com/AXRoux/Ghost-Path-Traversal-CVE-2023-32235-

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.